diff --git a/refpolicy/policy/modules.conf b/refpolicy/policy/modules.conf
index c5e97df..f308739 100644
--- a/refpolicy/policy/modules.conf
+++ b/refpolicy/policy/modules.conf
@@ -12,14 +12,6 @@
 #
 
 # Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Layer: kernel
 # Module: filesystem
 # Required in base
 #
@@ -60,6 +52,14 @@ terminal = base
 kernel = base
 
 # Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Layer: kernel
 # Module: corenetwork
 # Required in base
 #
@@ -262,13 +262,6 @@ storage = base
 portmap = module
 
 # Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-# 
-apm = base
-
-# Layer: services
 # Module: remotelogin
 #
 # Policy for rshd, rlogind, and telnetd.
@@ -276,32 +269,25 @@ apm = base
 remotelogin = base
 
 # Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-# 
-rlogin = base
-
-# Layer: services
-# Module: postfix
+# Module: ntp
 #
-# Postfix email server
+# Network time protocol daemon
 # 
-postfix = base
+ntp = base
 
 # Layer: services
-# Module: cyrus
+# Module: rlogin
 #
-# Cyrus is an IMAP service intended to be run on sealed servers
+# Remote login daemon
 # 
-cyrus = base
+rlogin = base
 
 # Layer: services
-# Module: rsync
+# Module: inetd
 #
-# Fast incremental file transfer for synchronization
+# Internet services daemon.
 # 
-rsync = base
+inetd = base
 
 # Layer: services
 # Module: ktalk
@@ -318,11 +304,11 @@ ktalk = base
 finger = base
 
 # Layer: services
-# Module: cron
+# Module: howl
 #
-# Periodic execution of scheduled commands.
+# Port of Apple Rendezvous multicast DNS
 # 
-cron = base
+howl = base
 
 # Layer: services
 # Module: tftp
@@ -332,11 +318,11 @@ cron = base
 tftp = base
 
 # Layer: services
-# Module: canna
+# Module: kerberos
 #
-# Canna - kana-kanji conversion server
+# MIT Kerberos admin and KDC
 # 
-canna = base
+kerberos = base
 
 # Layer: services
 # Module: gpm
@@ -346,53 +332,53 @@ canna = base
 gpm = off
 
 # Layer: services
-# Module: nscd
+# Module: uucp
 #
-# Name service cache daemon
+# Unix to Unix Copy
 # 
-nscd = base
+uucp = base
 
 # Layer: services
-# Module: sendmail
+# Module: apache
 #
-# Policy for sendmail.
+# Apache web server
 # 
-sendmail = off
+apache = module
 
 # Layer: services
-# Module: stunnel
+# Module: dhcp
 #
-# SSL Tunneling Proxy
+# Dynamic host configuration protocol (DHCP) server
 # 
-stunnel = base
+dhcp = module
 
 # Layer: services
-# Module: dbus
+# Module: inn
 #
-# Desktop messaging bus
+# Internet News NNTP server
 # 
-dbus = base
+inn = base
 
 # Layer: services
-# Module: ftp
+# Module: sendmail
 #
-# File transfer protocol service
+# Policy for sendmail.
 # 
-ftp = base
+sendmail = off
 
 # Layer: services
-# Module: dbskk
+# Module: dbus
 #
-# Dictionary server for the SKK Japanese input method system.
+# Desktop messaging bus
 # 
-dbskk = base
+dbus = base
 
 # Layer: services
-# Module: tcpd
+# Module: rshd
 #
-# Policy for TCP daemon.
+# Remote shell service.
 # 
-tcpd = base
+rshd = base
 
 # Layer: services
 # Module: radvd
@@ -402,13 +388,6 @@ tcpd = base
 radvd = base
 
 # Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = base
-
-# Layer: services
 # Module: sasl
 #
 # SASL authentication server
@@ -423,11 +402,18 @@ sasl = base
 postgresql = module
 
 # Layer: services
-# Module: ntp
+# Module: hal
 #
-# Network time protocol daemon
+# Hardware abstraction layer
 # 
-ntp = base
+hal = base
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = base
 
 # Layer: services
 # Module: ldap
@@ -437,18 +423,25 @@ ntp = base
 ldap = module
 
 # Layer: services
-# Module: inetd
+# Module: mysql
 #
-# Internet services daemon.
+# Policy for MySQL
 # 
-inetd = base
+mysql = module
 
 # Layer: services
-# Module: apache
+# Module: bind
 #
-# Apache web server
+# Berkeley internet name domain DNS server.
 # 
-apache = module
+bind = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
 
 # Layer: services
 # Module: squid
@@ -458,11 +451,11 @@ apache = module
 squid = module
 
 # Layer: services
-# Module: howl
+# Module: mailman
 #
-# Port of Apple Rendezvous multicast DNS
+# Mailman is for managing electronic mail discussion and e-newsletter lists
 # 
-howl = base
+mailman = module
 
 # Layer: services
 # Module: dictd
@@ -472,90 +465,95 @@ howl = base
 dictd = base
 
 # Layer: services
-# Module: kerberos
+# Module: privoxy
 #
-# MIT Kerberos admin and KDC
+# Privacy enhancing web proxy.
 # 
-kerberos = base
+privoxy = base
 
 # Layer: services
-# Module: radius
+# Module: nis
 #
-# RADIUS authentication and accounting server.
+# Policy for NIS (YP) servers and clients
 # 
-radius = base
+nis = base
 
 # Layer: services
-# Module: uucp
+# Module: telnet
 #
-# Unix to Unix Copy
+# Telnet daemon
 # 
-uucp = base
+telnet = off
 
 # Layer: services
-# Module: nis
+# Module: comsat
 #
-# Policy for NIS (YP) servers and clients
+# Comsat, a biff server.
 # 
-nis = base
+comsat = base
 
 # Layer: services
-# Module: dhcp
+# Module: ssh
 #
-# Dynamic host configuration protocol (DHCP) server
+# Secure shell client and server policy.
 # 
-dhcp = module
+ssh = off
 
 # Layer: services
-# Module: samba
+# Module: cvs
 #
-# SMB and CIFS client/server programs for UNIX and
-# name  Service  Switch  daemon for resolving names
-# from Windows NT servers.
+# Concurrent versions system
 # 
-samba = module
+cvs = base
 
 # Layer: services
-# Module: telnet
+# Module: ppp
 #
-# Telnet daemon
+# Point to Point Protocol daemon creates links in ppp networks
 # 
-telnet = off
+ppp = base
 
 # Layer: services
-# Module: inn
+# Module: arpwatch
 #
-# Internet News NNTP server
+# Ethernet activity monitor.
 # 
-inn = base
+arpwatch = base
 
 # Layer: services
-# Module: ssh
+# Module: bluetooth
 #
-# Secure shell client and server policy.
+# Bluetooth tools and system services.
 # 
-ssh = off
+bluetooth = base
 
 # Layer: services
-# Module: networkmanager
+# Module: apm
 #
-# Manager for dynamically switching between networks.
+# Advanced power management daemon
 # 
-networkmanager = base
+apm = base
 
 # Layer: services
-# Module: xdm
+# Module: mta
 #
-# X windows login display manager
+# Policy common to all email tranfer agents.
 # 
-xdm = base
+mta = base
 
 # Layer: services
-# Module: arpwatch
+# Module: nscd
 #
-# Ethernet activity monitor.
+# Name service cache daemon
 # 
-arpwatch = base
+nscd = base
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = base
 
 # Layer: services
 # Module: distcc
@@ -565,25 +563,27 @@ arpwatch = base
 distcc = off
 
 # Layer: services
-# Module: mta
+# Module: samba
 #
-# Policy common to all email tranfer agents.
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
 # 
-mta = base
+samba = module
 
 # Layer: services
-# Module: zebra
+# Module: cyrus
 #
-# Zebra border gateway protocol network routing service
+# Cyrus is an IMAP service intended to be run on sealed servers
 # 
-zebra = base
+cyrus = base
 
 # Layer: services
-# Module: hal
+# Module: ftp
 #
-# Hardware abstraction layer
+# File transfer protocol service
 # 
-hal = base
+ftp = base
 
 # Layer: services
 # Module: cpucontrol
@@ -593,109 +593,109 @@ hal = base
 cpucontrol = base
 
 # Layer: services
-# Module: mysql
+# Module: dovecot
 #
-# Policy for MySQL
+# Dovecot POP and IMAP mail server
 # 
-mysql = module
+dovecot = base
 
 # Layer: services
-# Module: cups
+# Module: rsync
 #
-# Common UNIX printing system
+# Fast incremental file transfer for synchronization
 # 
-cups = base
+rsync = base
 
 # Layer: services
-# Module: bind
+# Module: canna
 #
-# Berkeley internet name domain DNS server.
+# Canna - kana-kanji conversion server
 # 
-bind = module
+canna = base
 
 # Layer: services
-# Module: snmp
+# Module: cron
 #
-# Simple network management protocol services
+# Periodic execution of scheduled commands.
 # 
-snmp = module
+cron = base
 
 # Layer: services
-# Module: spamassassin
+# Module: tcpd
 #
-# Filter used for removing unsolicited email.
+# Policy for TCP daemon.
 # 
-spamassassin = base
+tcpd = base
 
 # Layer: services
-# Module: mailman
+# Module: xdm
 #
-# Mailman is for managing electronic mail discussion and e-newsletter lists
+# X windows login display manager
 # 
-mailman = module
+xdm = base
 
 # Layer: services
-# Module: lpd
+# Module: networkmanager
 #
-# Line printer daemon
+# Manager for dynamically switching between networks.
 # 
-lpd = base
+networkmanager = base
 
 # Layer: services
-# Module: privoxy
+# Module: dbskk
 #
-# Privacy enhancing web proxy.
+# Dictionary server for the SKK Japanese input method system.
 # 
-privoxy = base
+dbskk = base
 
 # Layer: services
-# Module: comsat
+# Module: pegasus
 #
-# Comsat, a biff server.
+# The Open Group Pegasus CIM/WBEM Server.
 # 
-comsat = base
+pegasus = base
 
 # Layer: services
-# Module: cvs
+# Module: radius
 #
-# Concurrent versions system
+# RADIUS authentication and accounting server.
 # 
-cvs = base
+radius = base
 
 # Layer: services
-# Module: ppp
+# Module: spamassassin
 #
-# Point to Point Protocol daemon creates links in ppp networks
+# Filter used for removing unsolicited email.
 # 
-ppp = base
+spamassassin = base
 
 # Layer: services
-# Module: dovecot
+# Module: postfix
 #
-# Dovecot POP and IMAP mail server
+# Postfix email server
 # 
-dovecot = base
+postfix = base
 
 # Layer: services
-# Module: bluetooth
+# Module: cups
 #
-# Bluetooth tools and system services.
+# Common UNIX printing system
 # 
-bluetooth = base
+cups = base
 
 # Layer: services
-# Module: pegasus
+# Module: rpc
 #
-# The Open Group Pegasus CIM/WBEM Server.
+# Remote Procedure Call Daemon for managment of network based process communication
 # 
-pegasus = base
+rpc = base
 
 # Layer: services
-# Module: rpc
+# Module: lpd
 #
-# Remote Procedure Call Daemon for managment of network based process communication
+# Line printer daemon
 # 
-rpc = base
+lpd = base
 
 # Layer: system
 # Module: unconfined
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index d3adfd9..85611b6 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -5,7 +5,7 @@ policy_module(dovecot,1.0)
 #
 # Declarations
 #
-type dovecot_t; #, privhome;
+type dovecot_t;
 type dovecot_exec_t;
 init_daemon_domain(dovecot_t,dovecot_exec_t)
 
@@ -111,6 +111,7 @@ sysnet_use_ldap(dovecot_auth_t)
 
 userdom_dontaudit_use_unpriv_user_fd(dovecot_t)
 userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
+userdom_priveleged_home_dir_manager(dovecot_t)
 
 mta_append_spool(dovecot_t)
 
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index d3364c5..315343c 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -179,10 +179,10 @@ optional_policy(`cron.te',`
 ')
 
 optional_policy(`inetd.te',`
-	tunable_policy(`! ftpd_is_daemon',`
-		#reh: typeattributes not allowed in conditionals yet.
-		#inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
-	')
+	#reh: typeattributes not allowed in conditionals yet.
+	#tunable_policy(`! ftpd_is_daemon',`
+	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+	#')
 
 	optional_policy(`tcpd.te',`
 		tunable_policy(`! ftpd_is_daemon',`
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index d53dffc..ae2542d 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -54,7 +54,7 @@ domain_type(smbmount_t)
 type smbmount_exec_t;
 domain_entry_file(smbmount_t,smbmount_exec_t)
 
-type winbind_t; # privhome
+type winbind_t;
 type winbind_exec_t;
 init_daemon_domain(winbind_t,winbind_exec_t)
 
@@ -608,6 +608,7 @@ sysnet_dns_name_resolve(winbind_t)
 
 userdom_dontaudit_use_unpriv_user_fd(winbind_t)
 userdom_dontaudit_search_sysadm_home_dir(winbind_t)
+userdom_priveleged_home_dir_manager(winbind_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(winbind_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7b70a14..398c129 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2035,6 +2035,33 @@ interface(`userdom_manage_all_user_symlinks',`
 
 ########################################
 ## <summary>
+##	Make the specified domain a privileged
+##	home directory manager.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain a privileged
+##	home directory manager.  This domain will be
+##	able to manage the contents of all users
+##	general home directory content, and create
+##	files with the correct context.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_priveleged_home_dir_manager',`
+	gen_require(`
+		attribute privhome;
+	')
+
+	files_list_home($1)
+	typeattribute $1 privhome;
+')
+
+########################################
+## <summary>
 ##	Send general signals to unprivileged user domains.
 ## </summary>
 ## <param name="domain">